diff options
author | Ade Lee <alee@redhat.com> | 2017-05-26 13:06:18 -0400 |
---|---|---|
committer | Ade Lee <alee@redhat.com> | 2017-06-07 16:00:41 -0400 |
commit | 38df4274214938ceece85627abb6d4fe77b960ff (patch) | |
tree | c3361a13185302f03ddb4162aa04f5816190c27d /base/server/cms | |
parent | 9db838825b60719e6670c92957db3f33c5b12ae0 (diff) | |
download | pki-38df4274214938ceece85627abb6d4fe77b960ff.tar.gz pki-38df4274214938ceece85627abb6d4fe77b960ff.tar.xz pki-38df4274214938ceece85627abb6d4fe77b960ff.zip |
Refactor client to not use keysets
It is simpler to simply tell the client which
algorithm to use for key wrapping and encryption, rather
than use key sets. Therefore:
* KRAInfo and CAInfo are refactored to provide the
algorithms required for key wrapping and encryption.
* Client is modified to use these parameters to determine
which algorithms to use.
* We specify the OIDs that will be used in the PKIARchiveOptions
more correctly. The options are basically:
AES-128-CBC, DES3-CBC, AES KeyWrap/Pad
Change-Id: Ic3fca902bbc45f7f72bcd4676c994f8a89c3a409
Diffstat (limited to 'base/server/cms')
-rw-r--r-- | base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java | 18 | ||||
-rw-r--r-- | base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java | 40 |
2 files changed, 49 insertions, 9 deletions
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java b/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java index 398f49982..52c9ca00f 100644 --- a/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java +++ b/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java @@ -28,6 +28,8 @@ import org.dogtagpki.common.CAInfo; import org.dogtagpki.common.CAInfoResource; import org.dogtagpki.common.KRAInfo; import org.dogtagpki.common.KRAInfoClient; +import org.mozilla.jss.crypto.EncryptionAlgorithm; +import org.mozilla.jss.crypto.KeyWrapAlgorithm; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -73,7 +75,8 @@ public class CAInfoService extends PKIService implements CAInfoResource { // KRA-related fields (the initial values are only used if we // did not yet receive authoritative info from KRA) private static String archivalMechanism = KRAInfoService.KEYWRAP_MECHANISM; - private static String wrappingKeySet = "0"; + private static String encryptAlgorithm; + private static String keyWrapAlgorithm; @Override public Response getInfo() throws Exception { @@ -116,7 +119,8 @@ public class CAInfoService extends PKIService implements CAInfoResource { } info.setArchivalMechanism(archivalMechanism); - info.setWrappingKeySet(wrappingKeySet); + info.setEncryptAlgorithm(encryptAlgorithm); + info.setKeyWrapAlgorithm(keyWrapAlgorithm); } } @@ -125,10 +129,8 @@ public class CAInfoService extends PKIService implements CAInfoResource { KRAInfo kraInfo = getKRAInfoClient(connInfo).getInfo(); archivalMechanism = kraInfo.getArchivalMechanism(); - - // request succeeded; the KRA is 10.4 or higher, - // therefore supports key set v1 - wrappingKeySet = "1"; + encryptAlgorithm = kraInfo.getEncryptAlgorithm(); + keyWrapAlgorithm = kraInfo.getWrapAlgorithm(); // mark info as authoritative kraInfoAuthoritative = true; @@ -137,8 +139,8 @@ public class CAInfoService extends PKIService implements CAInfoResource { // The KRAInfoResource was added in 10.4, // so we are talking to a pre-10.4 KRA - // pre-10.4 only supports key set v0 - wrappingKeySet = "0"; + encryptAlgorithm = EncryptionAlgorithm.DES3_CBC_PAD.toString(); + keyWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD.toString(); // pre-10.4 KRA does not advertise the archival // mechanism; look for the old knob in CA's config diff --git a/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java b/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java index c4b3252b2..a9c3cdfc1 100644 --- a/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java +++ b/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java @@ -29,14 +29,25 @@ import org.slf4j.LoggerFactory; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.kra.IKeyRecoveryAuthority; +import com.netscape.certsrv.security.IStorageKeyUnit; import com.netscape.cms.servlet.base.PKIService; +import netscape.security.util.WrappingParams; + /** * @author Ade Lee */ public class KRAInfoService extends PKIService implements KRAInfoResource { private static Logger logger = LoggerFactory.getLogger(InfoService.class); + private IKeyRecoveryAuthority kra; + private IStorageKeyUnit storageUnit; + + public KRAInfoService() { + kra = (IKeyRecoveryAuthority) CMS.getSubsystem("kra"); + storageUnit = kra.getStorageKeyUnit(); + } @Override public Response getInfo() throws Exception { @@ -47,7 +58,8 @@ public class KRAInfoService extends PKIService implements KRAInfoResource { KRAInfo info = new KRAInfo(); info.setArchivalMechanism(getArchivalMechanism()); info.setRecoveryMechanism(getRecoveryMechanism()); - + info.setEncryptAlgorithm(getEncryptAlgorithm()); + info.setArchivalMechanism(getWrapAlgorithm()); return createOKResponse(info); } @@ -63,5 +75,31 @@ public class KRAInfoService extends PKIService implements KRAInfoResource { boolean encrypt_recovery = cs.getBoolean("kra.allowEncDecrypt.recovery", false); return encrypt_recovery ? KRAInfoResource.ENCRYPT_MECHANISM : KRAInfoResource.KEYWRAP_MECHANISM; } + + String getWrapAlgorithm() throws EBaseException { + IConfigStore cs = CMS.getConfigStore(); + boolean encrypt_archival = cs.getBoolean("kra.allowEncDecrypt.archival", false); + WrappingParams params = null; + try { + params = storageUnit.getWrappingParams(encrypt_archival); + } catch (Exception e) { + // return something that should always work + return "AES/CBC/Padding"; + } + return params.getPayloadWrapAlgorithm().toString(); + } + + String getEncryptAlgorithm() throws EBaseException { + IConfigStore cs = CMS.getConfigStore(); + boolean encrypt_archival = cs.getBoolean("kra.allowEncDecrypt.archival", false); + WrappingParams params = null; + try { + params = storageUnit.getWrappingParams(encrypt_archival); + } catch (Exception e) { + // return something that should always work + return "AES/CBC/Padding"; + } + return params.getPayloadEncryptionAlgorithm().toString(); + } } |